more tricks for defeating ssl in practice - black hat · more tricks for defeating ssl in practice...
TRANSCRIPT
![Page 1: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/1.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
More Tricks For Defeating SSL In Practice
Moxie [email protected]
![Page 2: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/2.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
![Page 3: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/3.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Once Again, The Back Story...
![Page 4: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/4.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
In the past, I've talked aboutBasicConstraints...
![Page 5: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/5.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Certificate Chaining
VeriSign
IntermediateCA
paypal.com
![Page 6: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/6.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Certificate Chaining
VeriSign
IntermediateCA
paypal.com
IntermediateCA
![Page 7: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/7.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
How do we verify these things?
![Page 8: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/8.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
What they say:
● Verify that the name of the leaf node is the same as the site you're connecting to.
● Verify that the leaf certificate has not expired.● Check the signature.● If the signing CA is in our list of trusted root
CAs, stop. Otherwise, move one up the chain and repeat.
![Page 9: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/9.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Here Be Dragons
● Very tempting to use a simple recursive function.
● Everyone focuses on the signature validation.
● The result of a naïve attempt at validation is a chain that is complete, but nothing more.
![Page 10: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/10.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
What if...VeriSign
IntermediateCA
thoughtcrime.org
IntermediateCA
![Page 11: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/11.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
What if...VeriSign
IntermediateCA
thoughtcrime.org
IntermediateCA
paypal.com
![Page 12: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/12.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
What they say:
● Verify that the name of the leaf node is the same as the site you're connecting to.
● Verify that the leaf certificate has not expired.● Check the signature.● If the signing CA is in our list of trusted root
CAs, stop. Otherwise, move one up the chain and repeat.
![Page 13: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/13.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Something must be wrong, but...
● All the signatures are valid.● Nothing has expired.● The chain is in tact.● The root CA is embedded in the browser and
trusted.
![Page 14: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/14.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
But we just created a valid certificate for PayPal, and we're not PayPal?
![Page 15: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/15.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
The missing piece...
![Page 16: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/16.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
...is a somewhat obscure field.
![Page 17: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/17.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Back In The Day
● Most CAs didn't explicitly set basicConstraints: CA=False
● Whether the field was there or not, most SSL implementations didn't bother to check it.
● Anyone with a valid leaf node certificate could create and sign a leaf node certificate for any other domain.
● When presented with a complete chain, IE, Outlook, Konqueror, OpenSSL, and others considered it valid...
![Page 18: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/18.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
And then in 2002...
● Microsoft did something particularly annoying, so I blew this up by publishing it.
● Microsoft claimed that it was impossible to exploit.
● So I also published the tool that exploits it.
![Page 19: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/19.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
sslsniff
![Page 20: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/20.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
sslsniff
![Page 21: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/21.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
sslsniff
sslsniff
● Intercept a connection from the client side.● Generate a certificate for the site it is connecting to.● Sign it with any random valid leaf node certificate.● Pass that certificate chain to the client.
● Make a normal SSL connection to the server.● Pass data between client and server, decrypting and encrypting on each end.
![Page 22: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/22.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Lately, I've been talking aboutSSL Stripping...
![Page 23: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/23.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
brief
![Page 24: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/24.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
![Page 25: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/25.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
SSL can be useful, but how it's deployed matters
![Page 26: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/26.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
In the context of web browsing
● SSL is almost never encountered directly.● It is either encountered as a result of:
● A 302 redirect from an HTTP URL to an HTTPS URL.
● An HTTPS link that a user clicks on from an HTTP page.– (Think, “My Cart,” “Checkout,” “Login,” etc...)
![Page 27: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/27.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
![Page 28: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/28.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
![Page 29: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/29.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
We Can Attack SSL Before We Even Get There
![Page 30: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/30.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
sslsniff
![Page 31: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/31.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
sslstrip
![Page 32: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/32.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
sslstrip
sslstrip
● Watch HTTP traffic go by.● Switch <a href=”https://...”> to <a href=”http://...”> ● and keep a map of what you've changed.● Switch Location: https:// to Location: http:// ● and keep a map of what you've changed.
![Page 33: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/33.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
sslstrip
sslstrip
● Watch HTTP traffic go by.● When we see an HTTP request for a URL that we've stripped, proxy that out as HTTPS to the server.
● Watch the HTTPS traffic go by, log everything that we want, and keep a map of all relative, CSS, and JS links that go by.
![Page 34: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/34.jpg)
How Does It Look?
![Page 35: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/35.jpg)
How Does It Look?
![Page 36: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/36.jpg)
How Does It Look?
![Page 37: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/37.jpg)
How Does It Look?
![Page 38: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/38.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Where can we go from here?
![Page 39: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/39.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Where do we need to go from here?
![Page 40: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/40.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
What's with certificates, anyways?
X509Certificate
Version
Serial Number
Issuer
Validity (not before X or after Y)
Subject
PublicKey
SignatureAlgorithm
Signature
![Page 41: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/41.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
What's with certificates, anyways?
X509Certificate
Version
Serial Number
Issuer
Validity (not before X or after Y)
Subject
PublicKey
SignatureAlgorithm
Signature
![Page 42: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/42.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
What's with certificates, anyways?
X509Certificate
Version
Serial Number
Issuer
Validity (not before X or after Y)
Subject
PublicKey
SignatureAlgorithm
Signature
![Page 43: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/43.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
What's with certificates, anyways?
X509Certificate
Version
Serial Number
Issuer
Validity (not before X or after Y)
Subject
PublicKey
SignatureAlgorithm
Signature
![Page 44: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/44.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
What's with certificates, anyways?
X509Certificate
Version
Serial Number
Issuer
Validity (not before X or after Y)
Subject
PublicKey
SignatureAlgorithm
Signature
![Page 45: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/45.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
![Page 46: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/46.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
The Big Three
●Secrecy●Authenticity● Integrity
![Page 47: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/47.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
SSL/TLS Handshake Beginnings
ClientHello
ServerHello, ServerCertificate
![Page 48: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/48.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
SSL Handshake Beginnings
X509Certificate
Version
Serial Number
Issuer
Validity
Subject
PublicKey
SignatureAlgorithm
Signature
![Page 49: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/49.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
The Problems For Us Begin
ClientHello
ServerHello, ServerCertificate?
Attacker
![Page 50: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/50.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Let's start by looking back once more.
![Page 51: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/51.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
In 2000, things were different.
![Page 52: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/52.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Notaries!
![Page 53: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/53.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Identification!
![Page 54: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/54.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Phone Calls!
![Page 55: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/55.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Actual people involved...
![Page 56: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/56.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
That is a bygone era
![Page 57: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/57.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
These days it's all about: online domain validation
![Page 58: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/58.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
![Page 59: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/59.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
![Page 60: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/60.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
PKCS #10
CertificateRequest
Version
Subject
PublicKey
Attributes
![Page 61: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/61.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
PKCS #10
CertificateRequest
Version
Subject
PublicKey
Attributes
![Page 62: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/62.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
PKCS #10
CertificateRequest
Version
Subject
PublicKey
Attributes
www.bankofamerica.com
![Page 63: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/63.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
PKCS #10
CertificateRequest
Version
Subject
PublicKey
Attributes
www.bankofamerica.com
![Page 64: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/64.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
PKCS #10
CertificateRequest
Version
Subject
PublicKey
Attributes
www.bankofamerica.com
WHOIS Lookup
![Page 65: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/65.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
PKCS #10
CertificateRequest
Version
Subject
PublicKey
Attributes
www.bankofamerica.com
WHOIS Lookup
Email [email protected]
![Page 66: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/66.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
PKCS #10
CertificateRequest
Version
Subject
PublicKey
Attributes
www.bankofamerica.com
![Page 67: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/67.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
PKCS #10
CertificateRequest
Version
Subject
PublicKey
Attributes
www.bankofamerica.com
![Page 68: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/68.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
PKCS #10
CertificateRequest
Version
Subject
PublicKey
Attributes
certificate.authorities.are.a.total.ripoff.bankofamerica.com
![Page 69: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/69.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
PKCS #10
CertificateRequest
Version
Subject
PublicKey
Attributes
certificate.authorities.are.a.total.ripoff.bankofamerica.com
![Page 70: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/70.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Subjects
DistinguishedName
Country
State
Locale
Organization
Organizational Unit
Common Name
![Page 71: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/71.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Subjects
DistinguishedName
Country
State
Locale
Organization
Organizational Unit
Common Name
● The X.509 standard is a total nightmare.
● Three revisions, twenty years.
● Parts of the standard have literally been “lost” and then later “found” again.
![Page 72: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/72.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Subjects
DistinguishedName
Country
State
Locale
Organization
Organizational Unit
Common Name
● The original vision for the DN was that each DN would fit into some global Directory Information Tree.
● In practice, the standard is weak, everyone does everything differently, and the global DIT never materialized.
![Page 73: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/73.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Subjects
DistinguishedName
Country
State
Locale
Organization
Organizational Unit
Common Name
● “There is nothing in any of these standards that would prevent me from including a 1 gigabit MPEG movie of me playing with my cat as one of the RDN components of the DN in my certificate.”
-- Bob Jueneman on IETF-PKIX
![Page 74: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/74.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Subjects
DistinguishedName
Country
State
Locale
Organization
Organizational Unit
Common Name www.bankofamerica.com
![Page 75: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/75.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
CN
commonName ::=
SEQUENCE { { 2 5 4 3 }, StringType( SIZE( 1...64 ) ) }
● IA5String:
● 0x16 – ID● 0x05 – Length (5 Chars)● 0x76, 0x61, 0x6c, 0x75, 0x65 – v, a, l, u, e
![Page 76: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/76.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
CN Encoding
● Essentially, the CN field is represented as a PASCAL String.
● This is different from how C strings are represented.
0xe w w w . p a y p a l . c o m
w w w . p a y p a l . c o m \0
![Page 77: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/77.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
PKCS #10 Subject
DistinguishedName
Country
State
Locale
Organization
Organizational Unit
Common Name www.paypal.comthoughtcrime.org
![Page 78: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/78.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
PKCS #10 Subject
www.thoughtcrime.org
Common Name
![Page 79: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/79.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
PKCS #10 Subject
verisign.eats.children.thoughtcrime.org
Common Name
![Page 80: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/80.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
PKCS #10 Subject
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii.thoughtcrime.org
Common Name
![Page 81: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/81.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
PKCS #10 Subject
www.paypal.com\0.thoughtcrime.org
Common Name
![Page 82: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/82.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
PKCS #10 Certificate Signing Request
CertificateRequest
Version
Subject
PublicKey
Attributes
www.paypal.com\0.thoughtcrime.org
![Page 83: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/83.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
PKCS #10 Certificate Signing Request
CertificateRequest
Version
Subject
PublicKey
Attributes
www.paypal.com\0.thoughtcrime.org
WHOIS Lookup
And contact... me!
![Page 84: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/84.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Our Original Scenario
ClientHello
ServerHello, ServerCertificate[www.paypal.com\0.thoughtcrime.org]
Attacker
![Page 85: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/85.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Our Original Scenario
X509Certificate
Version
Serial Number
Issuer
Validity
Subject
PublicKey
SignatureAlgorithm
Signature
![Page 86: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/86.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Our Original Scenario
char *destination = getDomainWeAreConnectingTo();
char *commonName = getCommonNameFromCertificate();
bool everythingIsOk = (strcmp(destination, commonName) == 0);
![Page 87: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/87.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
In memory, though...
w w w . p a y p a l . c o m \0
char *destination
w w w . p a y p a l . c o m \0 . t h o u g h t c r i m e . o r g \0.
char *commonName
![Page 88: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/88.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
In memory, though...
w w w . p a y p a l . c o m \0
char *destination
w w w . p a y p a l . c o m \0 . t h o u g h t c r i m e . o r g \0.
char *commonName
![Page 89: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/89.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
In the eyes of most SSL implementations, this certificate is completely valid for www.paypal.com
![Page 90: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/90.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
What are “most” SSL implementations?
● Web Browsers● Firefox (all versions), IE (all versions), Lynx, Curl,
● Mail Clients● Thunderbird, Outlook, Evolution
● Chat Clients● Pidgin, AIM, irssi, centericq
● SSL VPNs● AEP, Citrix, etc...
![Page 91: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/91.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
A First Cut: updated sslsniff
sslsniff
Iff “null prefix attack” certificate is available
![Page 92: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/92.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
How does it look?
![Page 93: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/93.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
How does it look?
![Page 94: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/94.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
How does it look?
![Page 95: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/95.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
How does it look?
![Page 96: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/96.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Disadvantages
![Page 97: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/97.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
1) Targeted attacks are kind of lame.
![Page 98: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/98.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Maybe there's another trick in here somewhere...
![Page 99: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/99.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
![Page 100: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/100.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
![Page 101: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/101.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
![Page 102: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/102.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
![Page 103: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/103.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
![Page 104: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/104.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Universal Wildcard
*\0.thoughtcrime.org
![Page 105: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/105.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Universal Wildcard
*~.thoughtcrime.org
![Page 106: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/106.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Other Weird Stuff
● (www.paypal.com|mail.google.com|www.etrade.com|www.bankofamerica.com| www.wachovia.com|www.pnc.com| www.wellsfargo.com)\0.thoughtcrime.org
![Page 107: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/107.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
And... your remote exploit.● 144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));
● 145 register int t,p2,p1 = 1;
● 146 int cp;
● 147
● 148 while(1) {
● 149 for(cp=1;exp[cp] != ')';cp++)
● 150 if(exp[cp] == '\\')
● 151 ++cp;
● 152 for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {
● 153 if(exp[p1] == '\\')
● 154 e2[p2++] = exp[p1++];
● 155 e2[p2] = exp[p1];
● 156 }
● 157 for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}
● 158 if(_shexp_match(str,e2, case_insensitive) == MATCH) {
● 159 PORT_Free(e2);
● 160 return MATCH;
● 161 }
● 162 ...
![Page 108: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/108.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
And... your remote exploit.● 144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));
● 145 register int t,p2,p1 = 1;
● 146 int cp;
● 147
● 148 while(1) {
● 149 for(cp=1;exp[cp] != ')';cp++)
● 150 if(exp[cp] == '\\')
● 151 ++cp;
● 152 for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {
● 153 if(exp[p1] == '\\')
● 154 e2[p2++] = exp[p1++];
● 155 e2[p2] = exp[p1];
● 156 }
● 157 for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}
● 158 if(_shexp_match(str,e2, case_insensitive) == MATCH) {
● 159 PORT_Free(e2);
● 160 return MATCH;
● 161 }
● 162 ...
![Page 109: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/109.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
And... your remote exploit.● 144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));
● 145 register int t,p2,p1 = 1;
● 146 int cp;
● 147
● 148 while(1) {
● 149 for(cp=1;exp[cp] != ')';cp++)
● 150 if(exp[cp] == '\\')
● 151 ++cp;
● 152 for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {
● 153 if(exp[p1] == '\\')
● 154 e2[p2++] = exp[p1++];
● 155 e2[p2] = exp[p1];
● 156 }
● 157 for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}
● 158 if(_shexp_match(str,e2, case_insensitive) == MATCH) {
● 159 PORT_Free(e2);
● 160 return MATCH;
● 161 }
● 162 ...
![Page 110: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/110.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
And... your remote exploit.● 144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));
● 145 register int t,p2,p1 = 1;
● 146 int cp;
● 147
● 148 while(1) {
● 149 for(cp=1;exp[cp] != ')';cp++)
● 150 if(exp[cp] == '\\')
● 151 ++cp;
● 152 for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {
● 153 if(exp[p1] == '\\')
● 154 e2[p2++] = exp[p1++];
● 155 e2[p2] = exp[p1];
● 156 }
● 157 for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}
● 158 if(_shexp_match(str,e2, case_insensitive) == MATCH) {
● 159 PORT_Free(e2);
● 160 return MATCH;
● 161 }
● 162 ...
![Page 111: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/111.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
And... your remote exploit.
(AAAAAAAAAAAAAAAAAAAAAAA\0OVERWRITE).foo.com
![Page 112: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/112.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
And... your remote exploit.
(AAAAAAAAAAAAAAAAAAAAAAA\0OVERWRITE).foo.com
![Page 113: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/113.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
And... your remote exploit.
(AAAAAAAAAAAAAAAAAAAAAAA\0OVERWRITE).foo.com
![Page 114: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/114.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
And... your remote exploit.
(AAAAAAAAAAAAAAAAAAAAAAA\0OVERWRITE).foo.com
✔ No signed signature required!✔ Possible to sneak non-ASCII characters past the NSS filters.✔ This yields something exploitable in Firefox, Thunderbird, Evolution, Pidgin, and AIM.
![Page 115: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/115.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
A Second Cut: sslsniff with wildcard support
sslsniff
● Perform MITM if “null termination attack” cert is available.● Or perform MITM with “universal wildcard” cert if client is NSS.
![Page 116: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/116.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
A Second Cut: updated sslsniff
sslsniff
● Watches network and fingerprints clients for level of vulnerability.
● Every NSS client's communication is intercepted – either with a specific “null termination” certificate, or with the “universal wildcard” certificate.
● Every non-NSS client that is vulnerable is intercepted with a “null termination” certificate if available for the destination host.
● Non-vulnerable clients are left alone to avoid detection.
![Page 117: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/117.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
What do we have to worry about?
![Page 118: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/118.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
What do we have to worry about?
1) Certificate Revocation
t would be unfortunate if some bitter Certificate Authority decided to revoke my universal wildcard certificates or any of my null-termination certificates.
2) Updates
It would be unfortunate if some bitter SSL implementation decided to start paying attention to how ASN.1 is formatted.
![Page 119: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/119.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
What do we have to worry about?
1) Certificate Revocation● It would be unfortunate if some bitter Certificate
Authority decided to revoke our universal wildcard certificates or any of our null-termination certificates.
2) Updates● It would be unfortunate if some bitter SSL
implementation decided to start paying attention to how ASN.1 is formatted.
![Page 120: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/120.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
What do we have to worry about?
1) Certificate Revocation● These days, it's all about Online Certificate Status
Protocol (OCSP).● Whenever a SSL stack sees a new certificate, it makes
a quick request to the OCSP URL that the signing CA embedded in it.
● The SSL stack receives a signed response from the OCSP provider indicating whether the certificate has been revoked or not.
![Page 121: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/121.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
![Page 122: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/122.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Defeating OCSP
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL
}
![Page 123: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/123.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Defeating OCSP
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL
}
ResponseBytes ::= SEQUENCE {
responseType OBJECT IDENTIFIER,
response OCTET STRING
}
BasicOCSPResponse ::= SEQUENCE {
tbsResponseData ResponseData,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
![Page 124: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/124.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Defeating OCSP
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL
}
ResponseBytes ::= SEQUENCE {
responseType OBJECT IDENTIFIER,
response OCTET STRING
}
BasicOCSPResponse ::= SEQUENCE {
tbsResponseData ResponseData,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
![Page 125: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/125.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Defeating OCSP
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL
}
ResponseBytes ::= SEQUENCE {
responseType OBJECT IDENTIFIER,
response OCTET STRING
}
BasicOCSPResponse ::= SEQUENCE {
tbsResponseData ResponseData,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
![Page 126: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/126.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Defeating OCSP
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL
}
ResponseBytes ::= SEQUENCE {
responseType OBJECT IDENTIFIER,
response OCTET STRING
}
BasicOCSPResponse ::= SEQUENCE {
tbsResponseData ResponseData,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
![Page 127: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/127.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Defeating OCSP
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL
}
ResponseBytes ::= SEQUENCE {
responseType OBJECT IDENTIFIER,
response OCTET STRING
}
BasicOCSPResponse ::= SEQUENCE {
tbsResponseData ResponseData,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
![Page 128: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/128.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Defeating OCSP
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL
}
OCSPResponseStatus ::= ENUMERATED {
successful (0), --Response has valid confirmations
malformedRequest (1), --Illegal confirmation request
internalError (2), --Internal error in issuer
tryLater (3), --Try again later
--(4) is not used
sigRequired (5), --Must sign the request
unauthorized (6) --Request unauthorized
}
![Page 129: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/129.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Defeating OCSP
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL
}
OCSPResponseStatus ::= ENUMERATED {
successful (0), --Response has valid confirmations
malformedRequest (1), --Illegal confirmation request
internalError (2), --Internal error in issuer
tryLater (3), --Try again later
--(4) is not used
sigRequired (5), --Must sign the request
unauthorized (6) --Request unauthorized
}
![Page 130: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/130.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Defeating OCSP
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus = 3,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL
}
![Page 131: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/131.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Defeating OCSP
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus = 3,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL
}
![Page 132: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/132.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
PROPOSED STANDARD
Network Working Group M. MyersRequest for Comments: 2560 VeriSignCategory: Standards Track R. Ankney CertCo A. Malpani ValiCert S. Galperin My CFO C. Adams Entrust Technologies June 1999
X.509 Internet Public Key Infrastructure
Online Certificate Status Protocol - OCSP
Status of this Memo
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
3
![Page 133: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/133.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
A Third Cut: ocsp-aware sslsniff
sslsniff
● Watch network and fingerprints clients for level of vulnerability.
● Every NSS client's communication is intercepted – either with a specific “null termination” certificate, or with the “universal wildcard” certificate.
● Every non-NSS client that is vulnerable is intercepted with a “null termination” certificate if available for the destination host.
● Non-vulnerable clients are left alone to avoid detection.
● Optionally watch for OCSP requests corresponding to certificates we're using, and “tryLater” them to defeat OCSP.
![Page 134: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/134.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
What do we have to worry about?
2) Updates● It used to be that people, you know, downloaded and
installed updates.● As software gets more complicated, it is inevitably
shipped with more bugs, and attackers are situated to exploit them on a larger scale.
● So some have felt the need to deploy self-updating software in order to fix problems rapidly.
![Page 135: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/135.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
What do we have to worry about?
2) Updates● This is bad news for us, because by standing here and
talking to you about this stuff, it probably means that SSL implementations are going to fix these problems.
● But their update mechanisms in themselves seem like kind of a dangerous idea, right?
● Maybe there's something we can do about our problem.
![Page 136: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/136.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Firefox/Thunderbird: A Case Study● When you install Firefox, it comes with a feature called
“automatic update service,” which happens to be enabled by default.
● Here be dragons.
![Page 137: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/137.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Firefox/Thunderbird: A Case Study
Hello, do you have any updatesfor me? Here's my product, version,
build ID, OS, locale, and channel.
TLS
Con
nect
ion
to:
aus2
.moz
illa.
org
Update Server In The Sky
As a matter of fact, I do. Here'san unsigned blob of data – you'd
do well to install it.
TLS
Con
nect
ion
to:
aus2
.moz
illa.
org
![Page 138: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/138.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Firefox/Thunderbird: A Case Study● Firefox and Thunderbird depend on their TLS connection to the
update server to defend them against all possible attacks.
● Code is returned from the update server either as a binary diff against the distribution binary the client is running, or as a complete image of the binary.
● By default, “minor” updates are downloaded and installed silently – only prompting the user to restart their browser once everything is done.
● The update server is the one who reports the version number of the update, so it is effectively up to the server whether the image it provides is installed silently or not.
![Page 139: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/139.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Firefox/Thunderbird: A Case Study● As vendors start to release patches for this vulnerability, the update
mechanisms themselves will be vulnerable.
● All we need is a universal wildcard cert, or alternately a null-termination prefix cert for aus2.mozilla.org, and we can take control of the update mechanism to deliver payloads of our choice.
● This could be anything:
– A rootkit that logs keystrokes.– Something that sends all traffic/email through a server of our
choosing. – A completely legitimate image that just happens to include our
own CA certs.– Or, just to be confusing, a totally different web browser (“Thank
you for updating to Galeon 0.0.3!”) or even a completely different type of application – notepad.exe comes to mind.
![Page 140: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/140.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Firefox/Thunderbird: A Case Study● In order to patch your system effectively, you will not be
able to trust anything that comes through automatic updates.
![Page 141: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/141.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
A Fourth Cut: update-aware sslsniff
sslsniff
● Watch network and fingerprints clients for level of vulnerability.
● Every NSS client's communication is intercepted – either with a specific “null prefix” certificate, or with the “universal wildcard” certificate.
● Every non-NSS client that is vulnerable is intercepted with a “null prefix” certificate if available for the destination host.
● Non-vulnerable clients are left alone to avoid detection.
● Optionally watch for OCSP requests corresponding to certificates we're using, and “tryLater” them to defeat OCSP.
● Optionally watch for Firefox/Thunderbird update polls, and respond with a “custom” build.
![Page 142: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/142.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Postscript: Stripping NULL is no solution
● Some SSL/TLS implementations (Safari, Opera) appear to strip '\0' from commonName strings before comparing.
● Thus:
www.paypal.com\0.thoughtcrime.org ● Becomes:
www.paypal.com.thoughtcrime.org
![Page 143: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/143.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Postscript: Stripping NULL is no solution
● These implementations are vulnerable to a variation of our attack.
● The key is that some Certificate Authorities are vulnerable to this attack internally.● When presented with
www.paypal.com\0.thoughtcrime.org, some CAs internally validate it as www.paypal.com
● But the whole string (www.paypal.com\0.thoughtcrime.org) is what ends up in the subject of the cert they later issue.
![Page 144: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/144.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Postscript: Stripping NULL is no solution
● So if we register a domain like sitekey.ba● We can get a certificate for
sitekey.ba\0nkofamerica.com● The CAs that are internally vulnerable to this
attack will validate that certificate against sitekey.ba, which we own.
● When the cert is later presented to a SSL implementation that strips \0, the certificate's common name becomes: sitekey.bankofamerica.com
![Page 145: More Tricks For Defeating SSL In Practice - Black Hat · More Tricks For Defeating SSL In Practice Moxie Marlinspike moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive](https://reader030.vdocuments.net/reader030/viewer/2022041222/5e0ccb42487f3f10697ce6ba/html5/thumbnails/145.jpg)
Moxie MarlinspikeInstitute For Disruptive Studies
Conclusion
● We have a MITM attack that will intercept communication for almost all SSL/TLS implementations.
● In the case of NSS (Firefox, Thunderbird, Evolution, AIM, Pidgin) we only need a single certificate.
● We've defeated the OCSP protocol as implemented.● We've hijacked the Mozilla auto-updates for both
applications and extensions.● We've got an exploitable overflow.● In short, we've got your passwords, your communication,
and control over your computer.